Router behind router - how to prevent second router clients from accessing first router clients

[Nullity]

jegesq - thank you very much for the useful links and advice. I already knew that router 2 devices could access router 1 connected devices.
What was new to me is that malicious router 1 connected devices can intercept router 2 traffic simply because they are on the same ethernet, taking advantage of the ARP protocol!

The problem with 3 routers is off course that you basically hard-wire 2 separate networks. Considering the fact that I am dealing with long distances and multiple unmanaged switches, this is a costly and time consuming exercise.

Nullity - I really like the VLAN idea. I could put Tomato on the router. We currently have several unmanaged switches. Do these all have to be changed out with a managed switches if we put in VLAN?

I think most of the modern WiFi routers are capable of segregating each ethernet port from another, if your switches are not capable of VLANs. I think this post by sinshiva details how to achieve your goal. There's all sorts of awesome posts hidden around the forum.

PS - His posts uses VLANs, but I think that is purely for separating the ports within the Asus router. No VLAN capabilities needed outside the router itself.

 

[jegesq]

Nullity,

I actually think fooling around with VLAN tagging and the scripting necessary on an Asus RT-AC66 is going to be a lot more difficult and time-consuming than heading to a store and picking up a $50 non-wifi "dumb" router to use as a main gateway, hanging two already owned RT-AC66's off that new cheapo router's LAN ports, and then configuring two new IP ranges on the two existing RT66's in order to create separate LANS. Maybe I'm missing out on some fun, but it just seems simpler to me than something like Sinshiva's thread.

And besides, the simple answer is that VLAN's are designed to segregate traffic (more from a management and data flow perspective than security), they don't exist to secure any of the individual traffic streams (there's no encryption involved), so security assessors won't be happy if your security model is based solely around VLAN segregation. You're still vulnerable to ARP-spoofing, DHCP hacks, VLAN hopping and Spanning Tree exploits from a malicious device (or a hacker) that gains access on your less secure "secondary" guest/customer VLAN (using Bobby's example).

 

[Nullity]

Listen to jegesq.

If I were OP, I would get off of the forums & open a book on computer internetworking or hire a professional. If this is a business, please do not be half-assed. A business should "Do it right" since so much is at stake.

Edit: I have honestly lost track of this thread and I am pretty sure I am speaking nonsense regarding a cascaded router setup with a focus on multi-LAN segregation. If so, please say so and I will edit my earlier misinformative posts.

 

[Nullity]

Nullity,

I actually think fooling around with VLAN tagging and the scripting necessary on an Asus RT-AC66 is going to be a lot more difficult and time-consuming than heading to a store and picking up a $50 non-wifi "dumb" router to use as a main gateway, hanging two already owned RT-AC66's off that new cheapo router's LAN ports, and then configuring two new IP ranges on the two existing RT66's in order to create separate LANS. Maybe I'm missing out on some fun, but it just seems simpler to me than something like Sinshiva's thread.

And besides, the simple answer is that VLAN's are designed to segregate traffic (more from a management and data flow perspective than security), they don't exist to secure any of the individual traffic streams (there's no encryption involved), so security assessors won't be happy if your security model is based solely around VLAN segregation. You're still vulnerable to ARP-spoofing, DHCP hacks, VLAN hopping and Spanning Tree exploits from a malicious device (or a hacker) that gains access on your less secure "secondary" guest/customer VLAN (using Bobby's example).

I think the security concerns you mention are invalid regarding the post by sinshiva, since all VLAN traffic is internal to the Asus device.

Would you mind explaining how an additional WiFi AP device is a benefit considering that the devices must be cascaded? VPN/IPsec?

 

[jegesq]

Nullity,

My only point was that as Steve Gibson explains in greater detail in his podcast, the three-router method of isolating independent LANs is easy, cheap, and it just works, and it would achieve exactly what Bobby is looking for as expressed in his original post. Obviously though, as he writes in one of his later posts, distances between the locations of the two LANS is going to prevent him from running cable, so in that sense this solution might not work for him. But otherwise, I see no reason to be critical of this method. Or, as you suggest, you can crack out the scripting tools and get to work trying to have the RT-AC66 perform VLAN tagging, something which its firmware doesn't natively enable. But there is the satisfaction of knowing that one can make it work, I suppose.

Lastly, I am puzzled by your statement asking if I would mind explaining how an "additional WiFi AP" would be of benefit? I don't believe I ever mentioned an additional wifi AP in either of my posts in this thread.

 

[Nullity]

Nullity,

My only point was that as Steve Gibson explains in greater detail in his podcast, the three-router method of isolating independent LANs is easy, cheap, and it just works, and it would achieve exactly what Bobby is looking for as expressed in his original post. Obviously though, as he writes in one of his later posts, distances between the locations of the two LANS is going to prevent him from running cable, so in that sense this solution might not work for him. But otherwise, I see no reason to be critical of this method. Or, as you suggest, you can crack out the scripting tools and get to work trying to have the RT-AC66 perform VLAN tagging, something which its firmware doesn't natively enable. But there is the satisfaction of knowing that one can make it work, I suppose.

Lastly, I am puzzled by your statement asking if I would mind explaining how an "additional WiFi AP" would be of benefit? I don't believe I ever mentioned an additional wifi AP in either of my posts in this thread.

My mistake. I was referring to the additional non-wifi router. I misspoke. Pretend I said "additional networking device".

When the devices are cascaded, I do not see how the additional router would help. I am not exactly trying to argue or be critical (as I said, your post is probably right), rather, I am trying to offer another option for the OP to choose from.

I think the 3 router option is not applicable to a cascaded (tree or bus network topology) setup like the OP is forced to use.

Regarding what method is cheapest, easiest, simplest, etc... I leave that up to the reader. I primarily want to share information that can help the reader make a more informed decision. I would rather not make the decision for them.

Edit: I mistakenly said AP rather than router... again.

 

[ColinTaylor]

I think there must be a way to configure router 2 not to let traffic go through to router 1 clients.

On my ASUS RT N66U I can blacklist the following variables (under firewall/network services filter):

source IP (this would be 192.168.0.0/24)
Port Range
Destination IP (this would be 192.168.1.0/24)
Port range
Protocol (TCP/UDP)

I cannot get this to work...

This should work in theory. There's no need to specify the source IP range as leaving it blank is the same as specifying the whole LAN (of that router).

Create 2 rules, one for UDP and one for TCP. Do not use TCP ALL.

When you say that you could not get it to work what exactly happened? Did you lose all internet connectivity? Or are you just pinging something in 192.168.1.x? Remember that pings will still work because they are ICMP packets and you are only blocking TCP and UDP. (In my routers firmware there is a separate field called "Filtered ICMP packet types")

Regarding malicious clients on router 1 messing with the traffic from router 2... Router 1 is your trusted office LAN. If you've got something malicious attached to that router then you've got a much bigger problem than worrying about what they might be doing to router 2!

 

[Nullity]

If security is paramount, you could use 3 routers and have the 2 client network routers use VPN/IPsec to the gateway router, right?

 

[jegesq]

If security is paramount, you could use 3 routers and have the 2 client network routers use VPN/IPsec to the gateway router, right?

I think so. But I'm not sure that it would even be necessary to implement VPN/IPsec to the gateway at all. When you create the two completely independent LANS, they can't talk to each other, not only at an IP level, but also at the Ethernet level, which is why Steve Gibson thinks the three-router method of creating two entirely independent LANS off a "Y" (or in a semi-parallel, rather than in serial with everything on the same wire) is pretty much bullet-proof from a security point of view. In fact he says it's "absolutely" bullet-proof by doing nothing more than defining separate LANS that cannot and do not communicate with one another.

 

[Manny]

This isn't a new subject and Tim Higgins also wrote an article on this same subject back in 2003 here at SNB: http://www.smallnetbuilder.com/lanwan/lanwan-howto/24428-howtotwoprivlan?start=1. Using his setup will require some additional hardware, but it's pretty cheap these days. All you really need is single additional router/switch (of course could just be another RT-AC66 if you prefer, but there are even less costly ways to go).

Steve Gibson just suggested something similar, but for a different reason, in a recent Security Now! podcast (see https://twit.tv/shows/security-now/episodes/545?autostart=false). He suggested a three router set up (not connected in serial, but parallel) in which you'd connect your two existing routers (as DHCP clients of the main router) and give them each entirely separate sub-LAN addresses, (e.g., one with 192.168.x.x, and the other with 10.0.x.x, or 172.x.x.x). You just need to remember to change each of the subnet routers so that they point to the Gateway IP and Primary DNS of the "main" router. Basically, you're just telling each of your two existing routers (which will essentially now be completely separate networks from one another) to route all internet traffic to the "main" router, and use its DHCP.

Gibson's podcast (the discussion of a three-router set up begins at around 1:06:00), frames the issue in terms of the need to keep you main LAN secure from potential threats posed by many of the new IOT devices (think thermostats and lightbulbs). He refers to the "evil IOT light bulb, that by design remain accessible over the net and which creates an inherent security threat. You want to keep such devices off and away from your secure and private LAN because they pose an open highway to outside malicious threats, even with a good firewall. He's got some really interesting info and it's worth the time to listen to what he has to say.

Check out Tim's article, and Steve Gibson's podcast or just read the show notes and his web stuff on NAT security at GRC.com (see, https://www.grc.com/nat/nat.htm and https://www.grc.com/nat/nats.htm). I think you'll find it helpful to what you're trying to accomplish.

Hi all,

I love this idea; whish brand of router would be good for this?

I have just received my new RT-AC88U, I have to set this up over the weekend and this would be the best time to set this up.

All help would be appreciated…


Thank You,

 

[L&LD]

Hi all,

I love this idea; whish brand of router would be good for this?

I have just received my new RT-AC88U, I have to set this up over the weekend and this would be the best time to set this up.

All help would be appreciated…


Thank You,

Do you have three routers? Opinion: best brand would be Asus running RMerlin firmware (or the forks, thereof).

 

[Manny]

Do you have three routers? Opinion: best brand would be Asus running RMerlin firmware (or the forks, thereof).

No, just Surfboard extreme cable modem and my RT-AC88U, just need to buy three routers.

If I can fined them for a good price…

Do you have a link to a good router for this setup.

Thank You,

 

[Nullity]

I think so. But I'm not sure that it would even be necessary to implement VPN/IPsec to the gateway at all. When you create the two completely independent LANS, they can't talk to each other, not only at an IP level, but also at the Ethernet level, which is why Steve Gibson thinks the three-router method of creating two entirely independent LANS off a "Y" (or in a semi-parallel, rather than in serial with everything on the same wire) is pretty much bullet-proof from a security point of view. In fact he says it's "absolutely" bullet-proof by doing nothing more than defining separate LANS that cannot and do not communicate with one another.

but OP cannot do a "Y" setup. One router must pass through another. He cannot run two cables, apparently.

 

[bobby]

This should work in theory. There's no need to specify the source IP range as leaving it blank is the same as specifying the whole LAN (of that router).

Create 2 rules, one for UDP and one for TCP. Do not use TCP ALL.

When you say that you could not get it to work what exactly happened? Did you lose all internet connectivity? Or are you just pinging something in 192.168.1.x? Remember that pings will still work because they are ICMP packets and you are only blocking TCP and UDP. (In my routers firmware there is a separate field called "Filtered ICMP packet types")

Regarding malicious clients on router 1 messing with the traffic from router 2... Router 1 is your trusted office LAN. If you've got something malicious attached to that router then you've got a much bigger problem than worrying about what they might be doing to router 2!

You are right, I am not worried too much about the safety of clients under router 2.

I could ping the clients in under router 1 from a laptop under router 2. I could also open the WEB GUI of a device from router 1 when my laptop was connected to router 2.

 

[kvic]

It's a trivial task to accomplish with iptables rules at the worst case IMHO. Wait for ColinTaylor to opine in..

 

[ColinTaylor]

I could ping the clients in under router 1 from a laptop under router 2.

That's expected, as explained above.

I could also open the WEB GUI of a device from router 1 when my laptop was connected to router 2.

That's very strange.

I've just tried it here and it seems to work OK. Here is the forward chain with the rules correctly inserted.

# iptables -L FORWARD -v -n
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state INVALID
 2708 1420K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 DROP       all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
    6   304 DROP       tcp  --  br0    eth0    0.0.0.0/0            192.168.0.0/24
    0     0 DROP       udp  --  br0    eth0    0.0.0.0/0            192.168.0.0/24
   59  3124 ACCEPT     all  --  br0    eth0    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate DNAT
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0

As you can see, when I pointed my browser to 192.168.0.1 it blocked the connection.

It might be worth you trying the Network Filter again and then SSH'ing into the router to check that the rules have been created correctly.

Are you using the Parental Control feature as well? There is a bug in the firmware whereby if you enable Parental Control it ignores all of the Network Filter settings.

P.S. I don't think you mentioned which firmware you are using. If you use Merlin's then as kvic suggested you could create a custom script for the iptables rules if necessary.

 

[Manny]

Hello everyone,

This is what I am thinking; tell me if I am off the wall with this.
Cable modem: Surfboard extreme SB6120 it will be time to upgrade the Cable modem before long.

Router 1: TP-Link TL-ER5120 DHCP Server

Router 2: TP-Link TL-ER5120 LAN

Router 3: TP-Link TL-ER5120 WAN

My RT-AC88U goes into the WAN of Router 3


Thank You for your help…

 

[ColinTaylor]

@Manny : This is getting rather off-topic from the OP's specific requirements. Perhaps it's better to start a separate thread?

 

[Manny]

ok

 

[bobby]

That's expected, as explained above.
That's very strange.

I've just tried it here and it seems to work OK. Here is the forward chain with the rules correctly inserted.

# iptables -L FORWARD -v -n
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state INVALID
2708 1420K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 DROP       all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
    6   304 DROP       tcp  --  br0    eth0    0.0.0.0/0            192.168.0.0/24
    0     0 DROP       udp  --  br0    eth0    0.0.0.0/0            192.168.0.0/24
   59  3124 ACCEPT     all  --  br0    eth0    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate DNAT
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0

As you can see, when I pointed my browser to 192.168.0.1 it blocked the connection.

It might be worth you trying the Network Filter again and then SSH'ing into the router to check that the rules have been created correctly.

Are you using the Parental Control feature as well? There is a bug in the firmware whereby if you enable Parental Control it ignores all of the Network Filter settings.

P.S. I don't think you mentioned which firmware you are using. If you use Merlin's then as kvic suggested you could create a custom script for the iptables rules if necessary.

Hi Collin,

thank you VERY MUCH for your advice. The office is closed right now, until February 18. So I will try this on February 19.

For now I can tell you that I do not use parental controls.

I am using the latest version of Merlin's firmware: RT-N66U_380.57_0 (31 Jan 2016)

I filled in the Network Services Filter Settings as follows (router 2):

source IP ->empty
Port Range ->empty
Destination IP ->192.168.1.*
Port range -> empty
Protocol (TCP/UDP) -> both

Is Router 1 perhaps forwarding this traffic, and not router 2? Am I making a gigantic error?
Or is it really a bug in the firmware?